Lucene search

[email protected]NVD:CVE-2021-41803

HistorySep 23, 2022 - 1:15 a.m.

CVE-2021-41803

2022-09-2301:15:08

CWE-862

[email protected]

web.nvd.nist.gov

hashicorp consul

jwt claim assertions

auto config rpc

security vulnerability

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

0.002 Low

EPSS

Percentile

59.8%

JSON

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

Affected configurations

NVD

Node

hashicorpconsulRange1.8.1–1.11.9-

hashicorpconsulRange1.8.1–1.11.9enterprise

hashicorpconsulMatch1.12.4-

hashicorpconsulMatch1.12.4enterprise

hashicorpconsulMatch1.13.1-

hashicorpconsulMatch1.13.1enterprise

References

discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/

www.hashicorp.com/blog/category/consul

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

0.002 Low

EPSS

Percentile

59.8%

JSON

Related for NVD:CVE-2021-41803

osv4 cgr1 debiancve1 cvelist1 prion1 veracode1 alpinelinux1 cve1 redhatcve1 github1 ubuntucve1 wolfi1 photon2 fedora3 nessus3 openvas3